Last year, Freeform Dynamics surveyed the attitudes of tech professionals into IT security.
We found that IT security’s most important raison d'etre was to assure day-to-day operations – that is, keeping the business running (Figure 1).
Many organisations do not practice entirely what they preach, however. While nearly …

COMMENTS

security vs common sense

In Healthcare, IT systems are regulated for GMP and financial compliance. (Others, like data security are currently internal decisions). The extra cost, ~x4, is considered an acceptable trade-off for audit paper, less and longer improvement cycles, and less own programming.

The problems currently present themselves as security layers being built in, but not open to discussion at any cost/value trade-off level. The separate internal groups go their own ways, trying to avoid each other's minefields.

Any data protection security legislation is likely to cause additional damage, except to security consultants. Legislation for things like laptop or USB-stick misuse looks out of reach of even the current nappy-monitoring government. So one aim of all IT departments should be solutions good enough to avoid extra legislation.

Security v Governance

I have come to the conclusion that security is the result of good governance, not an end in itself. Noone protects a system for its own sake, but for the sake of what it allows access to.

For example, locking your car isn't a distinct activity, it's an integral part of the responsibility of owning and operating a car. In the same way, information access measures are now integral parts of owning a business and processing data.

Technology and IT security are tools to achieve ends, and it's down to the business to effectively govern, and pass those requirements to the technologists and IT security folks to implement that information governance.

When businesses can't be bothered to govern, and allow the tools to dictate the end result, they will - quite deservedly - get poor results.

A voice of reason

This is one arcticle that every security professional should read. The reason why security legislation and regulation fails to gain traction is a simple case of failing to understand how the business operates.

We talk about security as a separate activity, but this leads to it being seen as a cancer on business performance, with it eventually encroaching on every activity until is impairs the performance of the business.

Take ISO-27001:2005 for example, it mandates the creation of an Information Security Management System which can (If implemented properly) be used to manage all types of risk (Credit, Health and Safety, Financial etc) but it rarely does. The PCI-DSS is another example where people are employed (What does a Business Analyst actually provide over a good consultant BTW?) just to understand what the business does, because the security professionals aren't perceived to be able to. PCI-DSS projects, in particular therefore become focussed on the technology rather than the management of risk surrounding payment card information.

We need to throw the technical-focussed perception off ourselves, and free our minds to actually look towards understanding and supporting business objectives and processes to defined appropiate security mechanisms that support the management of risk within the organisation.

The main problem is that all of this intangible and requires time and effort which many companies don't see the benefit in expending, but the fact is that this is the reason why the credit crunch has happened and we need to use lessons learned to create a new perception about the usefulness of corporate governance.